EventSettings

Contains settings of the outgoing alerts sent by Kaspersky CyberTrace.

Path

Domains > Domain > OutputSettings > EventSettings

Attributes

This element has no attributes.

Nested elements

To specify values for EventFormat and ActionableFieldContextFormat, you may need to learn more about alert format patterns.

This element is a container for the following nested elements:

• EventFormat

  Specifies the format of outgoing alerts.

  This element is mandatory.

• SendEventFilters

  Contains filtering rules for detection alerts from Kaspersky CyberTrace. You can specify several filtering rules at once.

• ActionableFieldContextFormat

  Specifies how actionable fields must be added to an alert.

  This element is mandatory.

• FinishedEventFormat

  Specifies the format of the alert that is generated for each processed event.

  This element is mandatory.

  For more information about this element, see the "EventSettings > FinishedEventFormat" subsection below.

EventSettings > FinishedEventFormat

Specifies the format of the alert that is generated after an event is processed.

If this parameter is enabled, Kaspersky CyberTrace will generate an alert for each event that it processes. An alert is generated even if there were no detections.

This element is mandatory.

The value of this element specifies the alert format. You can use the %RecordContext% pattern and regular expression names in the format.

The %RecordContext% pattern will provide the following fields, if used:

• category

  It is "LookupFinished" for alerts of this type.

• sent_events

  The number of alerts sent to a SIEM system.

• total

  Concatenation of the following substrings formed for every category assigned to detection alerts:

  <category>:<number_of_detections>;

  If there were no detections, the sent_events parameter is set to 0, and the total string is empty.

This element has the following attributes:

FinishedEventFormat element attributes

Attribute	Description
enabled	Defines whether special alerts are generated. Possible values: true, false. If the value is true, Kaspersky CyberTrace Service will generate special alerts. If the value is false, or this attribute is omitted, Kaspersky CyberTrace Service will not generate special alerts. This attribute is optional.

Example

The following is an example of this element.

<EventSettings> <EventFormat>%RE_DATE% category=%Category% matchedIndicator=%MatchedIndicator% url=%RE_URL% src=%SRC_IP% ip=%RE_IP% md5=%RE_MD5% sha1=%RE_SHA1% sha256=%RE_SHA256% usrName=%RE_USERNAME%%RecordContext%</EventFormat> <SendEventFilters> ... </SendEventFilters> <ActionableFieldContextFormat><![CDATA[ %ParamName%:%ParamValue%]]></ActionableFieldContextFormat> <FinishedEventFormat enabled="true">LookupFinished %RecordContext%</FinishedEventFormat> </EventSettings>

Page top